CVE-2009-4370
Drupal Core 6.x < 6.15 - Authenticated Cross-Site Scripting in Menu Description
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54872
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37815
Vendor Advisory x_refsource_confirm
http://drupal.org/node/661586
Patch x_refsource_confirm
http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/37372
Scores
EPSS
0.0015
EPSS Percentile
35.1%
Details
CWE
CWE-79
Status
published
Products (15)
drupal/drupal
6.0 (9 CPE variants)
drupal/drupal
6.1
drupal/drupal
6.2
drupal/drupal
6.3
drupal/drupal
6.4
drupal/drupal
6.5
drupal/drupal
6.6
drupal/drupal
6.7
drupal/drupal
6.8
drupal/drupal
6.9
... and 5 more
Published
Dec 21, 2009
Tracked Since
Feb 18, 2026